Tuesday, January 28, 2014

Packet Analysis 101 - Initiating the Capture

Let's Look at the Packets!

How often have you heard, "This application isn't working.  Is it the [IPS/IDS/Proxy/Firewall] again?"

Ten years ago, when someone couldn't check their email or perform a web-based task, it was always a question of whether the server was actually receiving power.  These days, servers have drastically increased their availability so that server-specific outages have become rare.  That fact means the blame when an application doesn't work typically falls on a device in the network boundary, and more often than not, the proxy and/or firewall.

So, how do you figure out where to target your efforts if your network looks like this?

Only a slight exaggeration...
Obviously there are other elements to troubleshoot, but it's often helpful and sometimes required to take a packet capture.

What is a Packet?

A packet is a binary package (001010101010) of information capable of being transmitted across the network from one device to another.  We'll get into some specific examples in later posts.  Packets have multiple layers, often referred to in sections as headers and footers.  The headers contain transmission-related information with the footer containing the application data.

A common reference for packet header analysis is the SANS TCP/IP and tcpdump cheat sheet.  The image below shows excerpts including the Ethernet header (OSI Layer 2), the IP header (OSI Layer 3), and the TCP header (OSI Layer 4).

TCP/IP headers from SANS, with Ethernet added by me
Notice how I arranged the header in layers.  These layers follow the abstract, but logical, OSI model.  It's also helpful to recognize them this way when you analyze packets from a capture.

What is a Packet Capture?

A packet capture is exactly what it sounds like, although some people refer to it as "packet sniffing".  It's a collection of network packets transmitted by and/or between any number of combinations of such devices as those in the nightmare diagram above.  The next logical question is...

How do I Capture Packets? 

People more commonly ask, "How do I take a packet capture?"  To do so, we need a tool.  For the express purpose of capturing packets, several are available including: Wireshark (my fav), Network Miner, NetWitness Investigator (Direct Download Link), Microsoft Network Monitor, and Capsa.  They all have unique attributes and capabilities, so I suggest experimenting with them to find out which one you prefer.

To get you started, our friends over at Hak5's YouTube channel made a great introductory video using Wireshark:

Although there are video tutorials on the other tools, those videos focus more on the use of the tool rather than initiating a capture using the tool.  If I find them, I'll post them, but in the mean time check out Wireshark!